Posted
by
samzenpus
on Wednesday March 23, 2011 @02:38PM
from the bad-ideas dept.

wiredmikey writes "A former contract security guard who admitted hacking into a hospital's computer systems (where he worked), was sentenced to 110 months in Federal prison. Why did he do it? He admits that he intended to use the bots and the compromised computers to launch DDoS attacks on the websites of rival hacker groups. The FBI says he posted video of himself hacking into the hospital computers on YouTube — While the theme of 'Mission Impossible' played, he described his hack, step by step, including the insertion of a CD containing the OphCrack program, which allowed him to bypass all security. The FBI found the CD containing the OphCrack program in McGraw's house and found the source code for the bot on his laptop."

"FBI agents have raided the homes of three alleged members of a hacker gang that harassed a security expert who helped put the group’s leader in jail, according to a recently unsealed search warrant affidavit.

Jesse William McGraw, aka “GhostExodus,” pleaded guilty in May to computer-tampering charges for putting malware on a dozen machines at the Texas hospital where he worked as a security guard. He also installed the remote-access program LogMeIn on the hospital’s Windows-controlle

Has "security researcher" become the code for for confidential informant? Why else would the "researcher" go out of his way to "inform" the FBI?

If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

Why do articles even call them "security researchers"? Now if this guys job is to investigate hackers, then he should be called a "cyber crime investigator". It's disingenuous to call an a cyber crime investigator/cybercop detective a security researcher. What is with this trend?

Who cares if the person was a "security researcher" or "cybercop detective"? What's it matter?

And what is the official function of a security researcher? Are they informants? I'd think maybe not if they aren't pretending to be outlaw/blackhats, so I cannot put them in the obvious informant/snitch category that albert gonzalez [wikipedia.org] is in. An informant/snitch generally is someone who is a criminal hacker or member of a crew, who betrays his or her own crew to provide information to another crew (usually the police). Albert Gonzalez fits the definition of a snitch, the worst kind.

You took the term "security researcher", substituted your own definition of "confidential informant", and then hinted that the person might be a snitch...

The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?

And yes, the only way to enforce laws effectively is for crimes to be reported effectively. It's unfortunate that so many people think that reporting a crime is cause for immediate public execution, but the attitude will be there so long as there is no effective punishment for violently repressing anyone willing to call 911.

The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?

And yes, the only way to enforce laws effectively is for crimes to be reported effectively. It's unfortunate that so many people think that reporting a crime is cause for immediate public execution, but the attitude will be there so long as there is no effective punishment for violently repressing anyone willing to call 911.

That is not the situation at all. Being a witness to a crime is not the same as being a snitch. A snitch knows the individuals who committed the crime, had the trust of these individuals, and betrayed them. I'm not saying the guy who found the photo and reported it to the FBI is a snitch like Albert Gonzalez and I'm not saying someone who witnesses a crime is snitching. You do risk your life and limb as a witness but it's not betraying anyone or harming your friendships to be a witness so the stigma is only

But if you are just a researcher then your interest is purely academic, so what would you have to gain by reporting every crime you see?

As a scientist, you have an ethical obligation to report particularly dangerous crimes. Sounds like this guy was boasting about coopting his hospital's systems and using them to fight other bot nets. That has a potential for killing people that compromised computers normally don't have.

As a scientist, you have an ethical obligation to report particularly dangerous crimes. Sounds like this guy was boasting about coopting his hospital's systems and using them to fight other bot nets. That has a potential for killing people that compromised computers normally don't have.

This seems to imply that there are crimes you don't report. Is there some sort of ethical standard for what gets reported and what doesn't or is it left to the judgement of the scientist?

And that can indeed be the case. For example, I read of an economics researcher who studied a US street gang who was heavily involved in cocaine and crack dealing. One of the conditions for their cooperation with him was that he wouldn't report their involvement in a variety of crimes (such as drug possession, tax evasion, and violations of US labor law). I think he would still be ethically obligated to report to the police any serious crime he witnessed like assault and battery, murder, etc.

Is there some sort of ethical standard for what gets reported and what doesn't or is it left to the judgement of the scientist?

I'd say he's qualified. I don't understand why parent automatically assumed he was just an informant. If you're a private detective and with PhD in Criminal Forensics and you see a felony take place wouldn't you call the police? Would/. then assume you're simply an informant instead of being the private detective that the article correctly identified you as being?

If they don't pay attention to the rules, they will run afoul of folks whose livelihood they are impacting. And probably end up as another statistic on how hazardous it is for minorities in the inner city.

Of course, you are correct that the only way for law enforcement is to have snitches. If they are subsequently beaten, tortured or killed it isn't the fault of law enforcement but our own sick, twisted society. It comes down to who do y

possibly because cops spend all day with robbers and quite often the robbers tend to get paid better, which opens the cops up to turning a blind eye to some of the robbers in return for protection from arrest...

>If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

It's not like calling in a break-in of someone's house. I've done that myself. Called it in while I was watching across the street, and identified the bad guys while talking on 911 and later as I sat in the police car and the cop shined a light on them (they were caught).

If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

That depends on whose home it is. If it's a rich assholes home, probably not. If it's my friends home, most definitely. If it's a complete strangers home, probably not because the complete stranger could be an even bigger crook than the burglars in the end.

Ok...but in this case it's more like breaking into the hospital to steal drugs...

If you saw people breaking into a home wouldn't you report it? Or would the stigma of "confidential informant" be to much?

That depends on whose home it is. If it's a rich assholes home, probably not. If it's my friends home, most definitely. If it's a complete strangers home, probably not because the complete stranger could be an even bigger crook than the burglars in the end.

Ok...but in this case it's more like breaking into the hospital to steal drugs...

And if I were the one who cracked the case then I would not be a security researcher, I would be a cyber crime investigator. I mean what is so difficult to understand? If someone does the police work or the police then the police don't have to pay anybody. This saves the police money but it does not necessary make us any safer. Whether or not we'd be safer would have to be decided on a case by case basis.

So what I'm saying is, if there really are cyber police or if there should be cyber police, shouldn't th

I always ask people, at what magical number does 'theft' become 'economic justice'?

Justice is for the strong. What that means is that the rich typically get justice through the law and the poor do not.The law does not treat rich and poor equally, you know this and I know this.

So if a rich strangers house is being broken into and burglarized I'm just not going to care about that rich persons junk. That rich person has more stuff than they need anyway, and I wouldn't want to spend my time sitting in court.

Now if the roles were completely reserved and I'm the rich person and I'm watching a g

This is the worst kind of thinking. 'The poor don't get justice so I'll make sure the rich don't get it either! Then we'll all be equal!' Equally fucked. Such an great thing to which to aspire. Equality is not the sacred thing you seem to think it is. To paraphrase Margaret Thatcher, it is better to have a higher standard of living for the majority in a society with a high disparity than it is to have a lower standard of living for the majority in a society of greater equality.

Equality is not the sacred thing you seem to think it is. To paraphrase Margaret Thatcher, it is better to have a higher standard of living for the majority in a society with a high disparity than it is to have a lower standard of living for the majority in a society of greater equality.

You could go with Rawls (paraphrased): Inequalities are acceptable if they makes the worst off in the new system better off than the worst off without those inequalities.

Now if the roles were completely reserved and I'm the rich person and I'm watching a ghetto dwelling persons house getting broken into, maybe I'd decide to be a witness as a way to give back for what society has given me. In fact maybe I'd just give the unfortunate person some financial assistance, pay the legal fees, or give them a job.

No, you wouldn't.

You would likely feel you'd earned every penny you had and not owe anything back to society. You certainly wouldn't risk it for some poor person who could never pay you back and might expose you to personal risk.

Not if I were poor and became rich. If I were born rich you'd probably be right, but since I wasn't, I wont think rich.

When you are rich it's no personal risk to yourself to help a poor person but when you are poor there is great personal risk to yourself to help a rich person.

Society is something I tolerate. I did not ask to be born into this society. I do not have any emotional attachment to this society. It's not all good.

There are good people who matter to me. I care about those people. The social contract isn't real and does not exist. People pretend it exists just as they pretend human rights exist and just as they adopt American exceptionalism.

You think the world owes you all it's natural resources because you are an American? You think lives in foreign countries don't mat

I'm not paid too much, but I am taxed too little. I would gladly raise my own tax rates by 5% if it applied to everyone making as much as I am or more (esp. if it applied to Warren Buffet, etc. who currently have their salaries as investment income.)

I always ask people, at what magical number does 'theft' become 'economic justice'?

That depends on whose home it is. If it's a rich assholes home, probably not

You do realize that this means you, too, are an asshole, and that someone even lower on the moral chain than yourself will watch someone break into your house and do nothing for the same reason?

The chain of violence only stops when people like you stop demonizing based on external factors.

If I don't know anything at all about a person, never met the person in my life, I don't have any responsibility to care about the person.

And no I don't assume a majority of rich persons care about me. My decision of whether or not to be a witness would depend on factors such as whether or not I knew them, whether or not I want to sit in court for weeks or months, but it's still my decision to make.

Just like if someone decides to give to charity or give a donation, it's their decision to make. Nobody should

Just because you would die for a random rich person, does not mean a random rich person would save your life.

So if you want to die for some rich asshole, go ahead and be my guest. The only people who matter are the people who you actually know. You think otherwise? Maybe you should have stopped the troops from bombing Iraq and stealing the oil and maybe you should have saved the Soviet Union from the cold war, and maybe you should have helped save the children.

Not all research is academic. I with a large number of research scientists, very few of them are doing anything academic. This particular security researcher is someone who makes his living by providing his skills to companies and other organizations in return for money. He researches security risks and ways to compromise computer systems and develops tools to combat them (my interpretation of the information on his business website). The overlap between what he does as a security researcher and what a cybe

I don't think you understand how whitehats think. They think they are talented superhero vigilante crime fighters. I've known a few in my time, and they are frequently the kind of Eagle Scout archetype of a neighborhood watch captain. They have no real official power, but they get off on being "the good guys" and will turn in anybody for anything. It's a terrible combination of boredom, a modicum of skill, and an underdeveloped legalist sense of ethics.

An informant/snitch generally is someone who is a criminal hacker or member of a crew, who betrays his or her own crew to provide information to another crew (usually the police). Albert Gonzalez fits the definition of a snitch, the worst kind.>/quote?>
There is no honor among thieves.

The hacker trades in secrets - and there is no bigger secret than the identity of other hackers.

An informant/snitch generally is someone who is a criminal hacker or member of a crew, who betrays his or her own crew to provide information to another crew (usually the police). Albert Gonzalez fits the definition of a snitch, the worst kind.>/quote?>There is no honor among thieves.

The hacker trades in secrets - and there is no bigger secret than the identity of other hackers.

If someone is a friend, or is family, and you know ratting them out will put them in prison where they'll be ass raped for a decade, what kind of person are you if you give their identity to the FBI?

Has "security researcher" become the code for for confidential informant?

No. The guy is literally a PhD student who studies computer security.

Why else would the "researcher" go out of his way to "inform" the FBI?

I don't know why "inform" was in quotes. He did it because he saw that an HVAC system at a hospital was compromised, and thought that could pose a danger to human beings. He called the police and FBI with information about who had done it. And considering that the person with remote control of t

Right, because nurses and maintenance people have lots and lots of time to learn new operating systems, new GUIs, and the new programming conventions that come with an OS change. The X-ray machine will use Red Hat with gnome, the climate control system will be Suse with KDE, the pharmacy will be OS-X and the MRI will be DRDOS with some piece of crap interface that Philips cobbles together. Truly something to look forward to.

When you graduate and get out in the real world you're going to find that stand

If only there was a Linux distribution whose target audience is hospitals, government, education, etc., and whose goals include API/ABI stability and long-term support. Perhaps we can call it "Enterprise Linux." I'll email Red Hat.

Being in the medical IT field I can tell you that almost all medical software is written for Windows. And last I checked I don't think you can arrest anyone for developing for the windows platform. Just because the system is on Windows doesn't automatically make it insecure. There are a number of things that could have been done to mitigate this such as... super-gluing the USB ports, securing door access, group policy to lock down what can be run. If best practice security was followed this guy would h

This question goes out to security researchers. When is it a good idea to inform the FBI of a crime? Does it depend on whether or not you are white hat, black hat, grey hat? Does it depend on whether or not you are in the same crew as the person, or know the person? And if you do, does it remain just research or does the function of the security researcher change to investigator?

I keep seeing various different job titles, security researcher, cyber crime investigator, cyber cop, cyber warrior, and I do not

This question goes out to security researchers. When is it a good idea to inform the FBI of a crime? Does it depend on whether or not you are white hat, black hat, grey hat? Does it depend on whether or not you are in the same crew as the person, or know the person? And if you do, does it remain just research or does the function of the security researcher change to investigator?

I keep seeing various different job titles, security researcher, cyber crime investigator, cyber cop, cyber warrior, and I do not understand the different inherent functions of these terms. At the same time you have obvious professional betrayers like Albert Gonzalez being called "agents" and "heroes" by the feds in one sentence and then later on the feds are locking him up and he's a dirty rotten snitch greedy scoundrel.

So which security researcher, hacker, or cyber crime investigator wants to clear up exactly the different functions and roles?

Actions define people, not titles. You obviously already know this, why bother using it as an excuse to get on your soapbox? No one cares what they call themselves, except maybe them.

It likely has less to do with their title and more to do with who they work for. If they work for the federal government directly, at an agency, they might be compelled to submit this information. If they work for a government funded, third party organization, perhaps it's in a contract. They may work for a totally private organization or free-lance in which case they likely have full discretion. Or maybe the "informant" was just a disgruntled acquaintance.

that they must submit it the information, in my opinion it should be submitted to the person directly above them and that person should decide whether to submit it to the government or not. I just want full disclosure. If some security researcher is collecting information about me, shouldn't I know that they might give it to the government if the government asks for it?

Anyway if it's in the contract or a part of their job title and definition then nobody can accuse them of being an informant, and at the sam

that they must submit it the information, in my opinion it should be submitted to the person directly above them and that person should decide whether to submit it to the government or not. I just want full disclosure. If some security researcher is collecting information about me, shouldn't I know that they might give it to the government if the government asks for it?

How delusional are you? You pretty much waive this right when you willfully submit that information to the public. If I see evidence of you doing something illegal and then you post a video of yourself committing a crime in Youtube, you've pretty much waived all rights to disclosure.

that they must submit it the information, in my opinion it should be submitted to the person directly above them and that person should decide whether to submit it to the government or not. I just want full disclosure. If some security researcher is collecting information about me, shouldn't I know that they might give it to the government if the government asks for it?

How delusional are you? You pretty much waive this right when you willfully submit that information to the public. If I see evidence of you doing something illegal and then you post a video of yourself committing a crime in Youtube, you've pretty much waived all rights to disclosure.

This this a million times this. Stay as FAR AWAY from police as possible at all times. They're like a tornado of trouble and being in their vicinity, **even when you're doing good for society**, can damage you in all kinds of horrible ways.

If anyone sees a crime, they should report it. This has nothing to do with hackers or not, or the fictitious color of their hats. It is always a good idea to report it unless you have concerns about your own safety. Face it these guys are not boy scouts and they know they are committing serious crimes. Looking the other way is a serious breach of morality. Who cares about the roles. Their role as a public citizen should be enough to compel them to report a crime.

Do we have a winner for the prize of "stupidest person alive"? Who, with the slightest semblance of common sense, would think that posting a video of themselves doing this was a good idea? This ranks up there with the guy who used a camera mounted to his motorbike to record himself doing 140mph+ in the UK, then posted it on YouTube with his face and licence-plate.

HARRISBURG, Pa. - Police say a man tried to open an account before robbing a central Pennsylvania bank, but only after he'd already handed over two forms of identification.

Harrisburg police say 35-year-old Daniel Rahynes walked into a bank on Sunday and told tellers he was interested in opening an account. After he gave bank employees his information, he declared that he was actually there to rob the bank.

This is exactly why we don't counter-attack those attempting to penetrate our network. While you *might* have some slim chance of reaching the attacker, chances are equally good you will end up attacking some systems in a hospital or something equally unacceptable.

Not only that- but he was also hacking a hospital. If his poorly crafted script kiddie hack had compromised the functions of even the administrative computers patients treatment could be compromised. This is a place of healing. If you fuck with a hospitals functions you should get 10 years.

The network he had access to was a hospital's LAN. He wanted to use it to DDOS which would result in saturating much of the hospital's LAN to begin with and possibly screwing with equipment in the mean time. If he hacked into a Starbucks or a McDonalds to do the same I wouldn't care as much but his stupidity overreached on this one.

While hacking into the HVAC computer, McGraw knew the risk of affecting the facility’s temperature, and the treatment and recovery of vulnerable patients. In addition, he could have affected the efficacy of all temperature-sensitive drugs and supplies. Although he denies, it, access to the nurses’ station computer could have opened the door to patient records.

Given the fact that his actions could have breached confidentiality of medical records, or, you know, even killed someone due to the HVAC system going haywire and not controlling the temperature in a patient's room, or a storeroom containing temperature-sensitive medications, I'd say that 9 years and 2 months (probably being served in a minimum-security federal prison camp) doesn't sound all that unreasonable.

Are we going to imprison the people who decided to use Windows as the operating system for a critical, safety-sensitive computer? Why are we acting like the problems here end with this guy? Computers are not some magical object that dark wizards vie for control over; the fact that this guy could have endangered hospital patients because he was interacting with the HVAC computer (and ultimately, that is what he was doing: interacting with the computer) says more about the problems with the HVAC controller than about the hacker.

(and ultimately, that is what he was doing: interacting with the computer)

Yeah, if "interacting with the computer" involves breaking into a locked room, removing security controls on a computer with a sensitive function, and then planning to use it to launch DDoS attacks against other "rival groups." This isn't like, "What, I was just at the mall, using a touchscreen kiosk to find directions to the Urban Outfitters store!"

Considering he apparently needed both physical access (in a locked room) to the compu

On the other hand, why was the HVAC system left open to these sorts of attacks? If it is as safety sensitive and critical as the FBI is claiming, one would think that Windows should be low on the list of operating systems to choose.

Building maintenance computers are expected to last for a decade or more, which is probably longer than the building maintenance people will stay on their job. These systems are written for Windows because the new guy can come in, poke around a bit, and because he understands the basic MS programming conventions be productive in his new position almost immediately.

I install HVAC control systems for a living. Almost all of them rely on Windows at some point along the way anymore, either for setup software or the user interface software (if it doesn't use a web interface).

However, most do NOT require the Windows computer in order to function properly. The systems either have a dedicated embedded-style building controller, or use a peer-to-peer arrangement with each device handling its own schedules and talking to each other directly to integrate. It's entirely possi

"So what if I mess around with the HVAC controller in this hospital? I have SERIOUS HACKER BUSINESS to conduct!"

He had been experimenting with fucking with the HVAC controls on purpose (turning off automated alarms for temperature levels, shutting down AC), and was going to fuck up the hospitals air conditioning, in Dallas, TX, on July 4th.

Accidentally hitting someone with a car and accidentally hitting someone with a car after you've swilled half a bottle of Gold Schlager would be treated differently. Accidents happen. Deliberately fucking with hospital systems in a way that you KNOW could cause damages and even get someone killed is not an accident.

I remember when he originally posted that video. about all I could do was/facedesk multiple times. I couldn't believe how someone of his obvious intelligence could be so incredibly stupid (not about the video or even posting it, but the fact that he actually endangered lives by his actions). It is people like him who give governments cause to intrude into our lives as much as they do.

I can't believe he thought they would not find him and call the cops. He was cracking computers at the place where he worked. It was a freaking hospital with computers full of personal data. The guy intended to launch a DOS from hospital computers leaving a clear trail of network traffic back to him.

The guy was a dumbarse, no wonder he was working as a security guy and not in IT. In my experience if anything goes missing, gets broken, or gets unexpectedly altered overnight the security staff did it. Did I t